[Snort-users] SSL worm sigs

Brian Caswell bmc at ...950...
Sun Sep 15 18:23:02 EDT 2002

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"EXPERIMENTAL WEB-MISC bad HTTP/1.1 request, potentual worm attack"; flow:to_server,established; content:"GET / HTTP/1.1|0a 0d 0a 0d|";  offset:0; depth:18; reference:url,securityresponse.symantec.com/avcenter/security/Content/2002.09.13.html; classtype:web-application-activity; sid:1881; rev:1;)

As I no longer have an attack lab, I havn't been able to play with the new 
worm that attacks apache-ssl.  However, I have written a sig that looks for
the precurser that the worm sends.   

The worm sends "GET / HTTP/1.1\r\n\r\n" to port 80.  This is not a valid 
HTTP 1.1 request.  This will catch a bunch of lame CGI scanners, and won't 
catch people using the actual exploit, it should catch the worm probing 
your network.

Please test and let me know how the sig works out.  When I get back to work 
tommorow, I will test a bit more, then commit it to the tree for all to 
grab with the snapshots.


More information about the Snort-users mailing list